Weaknesses from a host of makers pose risks to military, aviation, shipping.

Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday.

Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.

"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."

Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.

The paper gave examples of the types of weaknesses affecting specific SATCOM systems and the types of attacks that they made possible. The Harris RF-7800B BGAN, for instance, is a terminal the manufacturer markets as providing tactical radio communications to militaries. Santamarta said the devices contain vulnerabilities that allow hackers to replace the normal firmware with malicious code. Adversaries could then monitor the geographic location of the people using the gear or completely disable communications once a device enters a precise area chosen by the attacker. The Harris BGAN M2M terminal can be commandeered by sending malicious SMS messages to it, the researcher reported.

BGAN terminals from Cobham, meanwhile, can be hijacked by exploiting a weakness in its authentication mechanism. "If a member of a unit was targeted with a client-side exploit while browsing the Internet during personal communications time, an attacker would be able to install malicious firmware in the terminal," Santamarta wrote. He went on to catalog weaknesses in terminals that underpin mission-critical SATCOM used in international aviation and shipping systems as well.

As concerning as it is that the devices Santamarta reviewed made their way into mission-critical systems before the weaknesses were discovered, it's even more problematic that most manufacturers have yet to respond to the private overtures initiated by CERT. Given the potential threat to public safety and national security, Santamarta called for action.

"The findings of IOActive's research should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology," he said.

Promoted Comments

Say, is there an online tutorial with step-by-step instructions on how to do this?

/jk

There probably is. The Ukrainian or Russian hackers who wrote the exploit code will be all too happy to sell it to you. Or you could trade them time on a botnet for it. Or bitcoins. Edit: not joking. That's how it works.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

46 Reader Comments

I would really love to be the fly on the wall in some of these meetings. It boggles my mind that a company would chose not to respond or address something like this, before it went public. They have to know that it's going to be published at some point and sooner rather than latter if they chose to ignore it. It doesn't sound like this guy is just some random person saying, hey you have a problem.

You'd think the US government would conduct much more thorough audits of the security of mission critical COMSAT.

Working for civilian federal agencies, I have been entirely unimpressed with their knowledge or care for cybersecurity and that of their contractors, but I always assumed that was only on the civilian side...

Say, is there an online tutorial with step-by-step instructions on how to do this?

/jk

There probably is. The Ukrainian or Russian hackers who wrote the exploit code will be all too happy to sell it to you. Or you could trade them time on a botnet for it. Or bitcoins. Edit: not joking. That's how it works.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

Say, is there an online tutorial with step-by-step instructions on how to do this?

/jk

There probably is. The Ukrainian or Russian hackers who wrote the exploit code will be all too happy to sell it to you. Or you could trade them time on a botnet for it. Or bitcoins. Edit: not joking. That's how it works.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

you need the test kit with the published code. Then you adapt that code to create your own malformed pdu sms. Been around for quite s few years now afaik.And look to the usa or eu. It's all legit. How do you think people are *supposed* to test this stuff?

Say, is there an online tutorial with step-by-step instructions on how to do this?

/jk

There probably is. The Ukrainian or Russian hackers who wrote the exploit code will be all too happy to sell it to you. Or you could trade them time on a botnet for it. Or bitcoins. Edit: not joking. That's how it works.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

I would imagine when you raise concerns they're met with either a) blank stares or b) 'But why would anyone do that?' type responses? (Never mind c) 'What do we need to do to fix it?' (unlikely response)...

Say, is there an online tutorial with step-by-step instructions on how to do this?

/jk

There probably is. The Ukrainian or Russian hackers who wrote the exploit code will be all too happy to sell it to you. Or you could trade them time on a botnet for it. Or bitcoins. Edit: not joking. That's how it works.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

This does not bode well for next gen planes, tanks and other equipment now designed to network and cooperatively engage the enemy. Friendly fire nightmares and/or dead equipment when under attack come to mind.

I sure hope there is some sort of alternate analog solution planning for cyber warfare setbacks.

I assume all significant nation states have already hacked the oppositions CommSats. Imagine if a *omg* terrorist took down a bunch of communication satellites with unlimited free texting? Tens of billions in hardware damage, and that doesn't even begin to account for the disruption on the ground.

No. Every system can be hacked with enough time and resources. However, this doesn't mean that it's acceptable to leave critical infrastructure open to simple exploits that have been around for a long time.

So you mean those movies where hackers trivially hijack satcom systems are true to life?

Of course, the NSA leaks show they even likely have the stupidly simple to use GUIs to do it with as well

My worldview, shattered again!

It's true. I accidentally ended up surfing DEC's internal research servers one day. Many years ago. Genuinely by accident. I was discovered though. And threatened. They had an external hardline into a box with no security and the usual bunch of open network shares once you were in. Mad. Those were the days of C$ Administrator blank being common mind you. Appalling all the same.

I assume all significant nation states have already hacked the oppositions CommSats. Imagine if a *omg* terrorist took down a bunch of communication satellites with unlimited free texting? Tens of billions in hardware damage, and that doesn't even begin to account for the disruption on the ground.

If you're interested in denial of service the easiest thing to try is to try to break the target initially at least just by overflowing the buffer the received sms goes into. You do this, as usual, by declaring the payload to be 'x' and making it 'y' length instead...

No. Every system can be hacked with enough time and resources. However, this doesn't mean that it's acceptable to leave critical infrastructure open to simple exploits that have been around for a long time.

Or sometimes they can be hacked pretty much by reading the manuals and specs. Because a lot of old systems don't have security. At all. Oh wait. And new ones too. Like surveillance drones (Edit - as per Wired in 2012 they'd only patched half the drones 4 years later. Might not even be finished yet)..

Some SATCOM is on a "bent pipe". That is, the satellite just has mixers and filters but no demod/mod. The idea is to make the satellite modulation/bandwidth agnostic. You go in at one frequency and come out another, but the channel information doesn't change.

Brazilian hackers put NFM over the bent pipe satellites from time to time. They get busted, it goes quiet for a while, then a new band of radio hackers come along.

There is very little analog voice over military SATCOM these days, and certainly none of it is in Portuguese. The last time I recall legitimate use of simple NFM MILSATCOM was from the group that was looking for remains of servicemen in Vietnam.

The only thing keeping us even remotely 'safe' these days (as far as I can tell) is that being smart and nerdy is somewhat socially acceptable these days. So the kids who once would have been up till 6am every night trying to figure out how to get access to something, anything, over their 300bps modem go out partying instead. When was the last time you met a 15yr old who'd spent the last 12 hours staring at a hex editor? They're off sneakily downing beers instead... (and good luck to them)..

This does not bode well for next gen planes, tanks and other equipment now designed to network and cooperatively engage the enemy. Friendly fire nightmares and/or dead equipment when under attack come to mind.

I sure hope there is some sort of alternate analog solution planning for cyber warfare setbacks.

Seen Battleship lately? Also, government contractors slow to even *respond*?! Not surprising in the least. "They already bought 10-year service contracts!"

My only question is how easy is to upload the malware to a specific satellite? I ask out of curiosity because I would expect this to be the hardest part of the attack; though it might easy to do with readily available hardware.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

At the end of the day, trying to create a secure technical world is a fools errand, in the rest of world history the capability for people to do bad things has always been there and whatever security existed was never absolute. That powerlessness you feel is just things working as normal.

My only question is how easy is to upload the malware to a specific satellite? I ask out of curiosity because I would expect this to be the hardest part of the attack; though it might easy to do with readily available hardware.

No idea but I'd probably start by picking the brain of somebody who works for a carrier that pushes traffic over the satellite you're interested in.

He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.

Security by obscurity?

If the manufacturers are going to offer firmware updates, which he is advocating, how does he intend to keep the firmware out of the hands of hackers (who may have, e.g., bought the equipment in question)? Even if you could keep the firmware off the Internet, that wouldn't make it secure. Lots of closed-source software gets successfully hacked, e.g. Windows, Adobe.

Edited to add:In the current era, you have to plan for a continuing series of updates, a la Patch Tuesday.

Sometime in the future some small, unambitious but actually secure OS may be developed, for which some secure applications will be written. (Sigh.)

He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.

Security by obscurity?

If the manufacturers are going to offer firmware updates, which he is advocating, how are they going to keep the firmware out of the hands of hackers (who may have, e.g., bought the equipment in question)? Even if you could keep the firmware off the Internet, that wouldn't make it secure. Lots of closed-source software gets successfully hacked, e.g. Windows, Adobe.

That's a pretty big *if* btw. Will they even have the original dev teams? Or sometimes even the source? ... Old is old..

You'd think the US government would conduct much more thorough audits of the security of mission critical COMSAT.

Working for civilian federal agencies, I have been entirely unimpressed with their knowledge or care for cybersecurity and that of their contractors, but I always assumed that was only on the civilian side...

It's too bad that we don't have some sort of agency with expertise in electronic security with that in its mission statement...

I know from personal experience that audits are pretty consistent. I've never heard of anyone using ftp due to the obvious reasons. I think there is a STIG that mentions all of the details (Google it). I can say that I'm not entirely impressed with how some of the government entities update stuff either. I'm not at will to say specifically what. If these bureaucrats always rely on the traditional reactive position, they will always be in last place when it comes to vulnerabilities. This article really isn't new news at all. From my standpoint these issues have already been ironed out a long time ago; but that doesn't mean other countries have adapted better security postures. You have to keep in mind that Harris sells radios to military organizations all over the world and at different price points. Maybe there are issues with this specific Harris radio....but after reading some of the details in the original white paper it seems to be a bunch of infinite possibilities with no hard proof other than explaining possible virtual scenarios . Who is going to hack an RF signal in the middle of a remote location, like the desert. It doesn't mention tactical procedures or anything. I'm sure there has to be some encryption somewhere inline. You will never know unless your the operator on the other end. These types of articles don't hold their weight in gold. They can only mention a limited amount of info and they leave tons of details out of the report.

You'd think the US government would conduct much more thorough audits of the security of mission critical COMSAT.

Working for civilian federal agencies, I have been entirely unimpressed with their knowledge or care for cybersecurity and that of their contractors, but I always assumed that was only on the civilian side...

Isn't one of the stated reasons for milspec equipment being so crazy-expensive is that it's supposed to be hardened against attacks?

What exactly have the various governments/militaries been paying for if this stuff is totally insecure and no better than its civilian equivalents?

It's called 'Due diligence'. Sometimes you hire somebody who knows what they're doing. Sometimes they don't. How can you tell for sure? Well, the price tag is a start... I have personal knowledge of a govt purchase where they chose the most expensive tender just to cover their asses. (Not security related mind you). But you get the thought process: expensive is good. Or at least defensible. Cheaping out is bad - you skimped so it's your fault...

Say, is there an online tutorial with step-by-step instructions on how to do this?

/jk

There probably is. The Ukrainian or Russian hackers who wrote the exploit code will be all too happy to sell it to you. Or you could trade them time on a botnet for it. Or bitcoins. Edit: not joking. That's how it works.

I work security. And I'm telling you it is utterly hopeless. Mostly because we got no political clout (top security officer must be in upper management, or what's the point!) and we got no access to money. We need to beg for anything that cost money, and need to beg to implement any change that may inconvenience someone, even if just a little. Also often powerless to stop others from creating brand new holes right under our noses.

Sounds like you'll always have a job, at least.

Maybe... notice all the points about lack of management support and money - there's a decent chance that security jobs end up getting cut when budgets are on the line. Yes, that makes the whole situation worse.

Isn't one of the stated reasons for milspec equipment being so crazy-expensive is that it's supposed to be hardened against attacks?

What exactly have the various governments/militaries been paying for if this stuff is totally insecure and no better than its civilian equivalents?

That was decades ago. Then some bright spark decided it would be cheaper and more reliable to go with COTS (Commercial Off The Shelf) hardware and software as much as possible, because it cost way too much and took way too long to develop purely-milspec versions of stuff. (There was a time, for example, when each of the missiles aboard fighter jets had something like 4x the computer power of the jets themselves, because the hardware for the jet had been frozen the year before first deployment.)

And in general it is cheaper and more reliable, it's just that using commercial stuff and opening your communications to commercial channels comes with a huge additional load of attacks.

Isn't one of the stated reasons for milspec equipment being so crazy-expensive is that it's supposed to be hardened against attacks?

What exactly have the various governments/militaries been paying for if this stuff is totally insecure and no better than its civilian equivalents?

While mil-spec gear is indeed hardened, think more along the lines of physically ruggedized. It usually involves making sure its components can handle weather extremes, shock and follow certain design parameters (Like field repairability to some extent, and interference shielding) Software on the other hand is a much more complicated beast and as the article illustrates there is no shortage of creative ways to defeat security. There is much work to be done to bring the software side up to the task in that regard.

I read the paper. It is all theoretical and hyped-up theater. As far as I can tell, there has been no actual exploit that can be demonstrated against the equipment.

For instance, just because a protocol is "undocumented" and/or proprietary does not make it a security weakness nor prove that it has an actual vulnerability. Indeed didn't Heartbleed teach us that open protocols are no less secure?

Disclaimer: I work for one of the companies mentioned in the article/paper.